WC_API_Authentication::check_oauth_timestamp_and_nonce()
Verify that the timestamp and nonce provided with the request are valid. This prevents replay attacks where an attacker could attempt to re-send an intercepted request at a later time.
- A timestamp is valid if it is within 15 minutes of now
- A nonce is valid if it has not been used within the last 15 minutes
Method of the class: WC_API_Authentication{}
No Hooks.
Return
null. Nothing.
Usage
// private - for code of main (parent) class only $result = $this->check_oauth_timestamp_and_nonce( $keys, $timestamp, $nonce );
- $keys(array) (required)
- -
- $timestamp(int) (required)
- the unix timestamp for when the request was made
- $nonce(string) (required)
- a unique (for the given user) 32 alphanumeric string, consumer-generated
WC_API_Authentication::check_oauth_timestamp_and_nonce() WC API Authentication::check oauth timestamp and nonce code WC 7.7.0
private function check_oauth_timestamp_and_nonce( $keys, $timestamp, $nonce ) {
global $wpdb;
$valid_window = 15 * 60; // 15 minute window
if ( ( $timestamp < time() - $valid_window ) || ( $timestamp > time() + $valid_window ) ) {
throw new Exception( __( 'Invalid timestamp.', 'woocommerce' ) );
}
$used_nonces = maybe_unserialize( $keys['nonces'] );
if ( empty( $used_nonces ) ) {
$used_nonces = array();
}
if ( in_array( $nonce, $used_nonces ) ) {
throw new Exception( __( 'Invalid nonce - nonce has already been used.', 'woocommerce' ), 401 );
}
$used_nonces[ $timestamp ] = $nonce;
// Remove expired nonces
foreach ( $used_nonces as $nonce_timestamp => $nonce ) {
if ( $nonce_timestamp < ( time() - $valid_window ) ) {
unset( $used_nonces[ $nonce_timestamp ] );
}
}
$used_nonces = maybe_serialize( $used_nonces );
$wpdb->update(
$wpdb->prefix . 'woocommerce_api_keys',
array( 'nonces' => $used_nonces ),
array( 'key_id' => $keys['key_id'] ),
array( '%s' ),
array( '%d' )
);
}